Our colleagues from Dell SecureWorks who never reply to our emails published a research paper about Pushdo and it’s domain generation algorithm (DGA). DGAs are implemented malware to evade takedowns. Other malware that features DGAs are Conficker A/B/C, ZeuS Gameover, MultiBanker, Shiz, Bamital, Sinowal, ZeroAccess, TDSS and others.

This is the Pushdo DGA:

Be aware that the old variant uses the TLD “.com”, while the new one uses “.kz”. It generates 30 domains a day, if no active C&C found goes back up to 30 days and then forward up to 15 days, resulting in total of 1.380 ‘possible’ domains on a single day.

Before it hits the DGA, however, it tries hard-coded C&Cs. The current one is lyuchta.org.

We have implemented the DGA and checked for active domains today (this is just an excerpt, the entire list is bigger):